ACL File Access Control List in Linux

ACL File Access Control List in Linux

In Linux, objects that can be operated on a file (or resource) are divided into three types: file owner (file owner), group (group, it may not be the group where the file owner is located. other (Others) defines the read, write, execute (read, write and execute) permissions and special permissions for each category. However, these permissions can only be used together. If you want to set different permissions for another user group or another user in another user group, you cannot.
The ACL Access Control List on LINUX is mainly designed to provide partial permission settings beyond the read, write, and execute permissions of traditional owners, groups, and others. ACL can be used to set the permissions of r, w, and x for a single user, a single file or directory, especially when special permissions are required. To put it simply, ACL allows you to set the operation permissions of a specific user or user group for a file or directory, which allows for flexible permission management, except for the file owner, owner group, and others, you can set permissions for more users. In simple terms, ACL allows you to set the operation permissions of a specific user or user group for a file or folder.
Because ACL is an additional support item for traditional unix-like operating system permissions, you must have file system support to use the ACL. Currently, most file systems support ACL. (The ACL access control list must be supported by the kernel. The ACL function is added by default after Linux kernel 2.6)
ACL management command: getfacl, setfacl, chacl
Acl is a string that can be analyzed by acl_from_text to obtain the permissions of each user. The string is separated by commas (,) into multiple segments.
The format of each clip is as follows: tag: name: perm
A tag can be in the following format:
"User" (or "u") indicates that this is a user's ACL entry.
"Group" (or "g") indicates the ACL entry of a user group.
"Other" (or "o") indicates that this is another ACL entry. That is, there are no ACL entries for users and groups specified in the ACL.
"Mask" (or "m") indicates an ACL entry with a mask. This mask entry must be specified when other non-user owner ACL permissions are specified. Otherwise, an error occurs when the chacl command is executed.
The name can be the user name or group name. If this parameter is not specified, the acl permission is assigned to the owner or user group of the file or directory by default. Of course, the name can also be the uid of the user or the gid of the group.
Perm refers to the permissions of the user or group. It is a string composed of "rwx". Of course everyone understands what it means. To make the user or group do not have certain permissions, simply replace the specified letter. For example, "r-x" only has read and execution permissions.

Getfacl

You can use getfacl to obtain the File Access Control List.
Usage: getfacl [-aceEsRLPtpndvh] file...
-A, -- access only displays the File access Control List
-D, -- default only displays the default access control list
-C, -- omit-header does not display the comment header
-E, -- all-valid tive display all valid Permissions
-E, -- no-valid tive display invalid Permissions
-S, -- skip-base skips files with only base entries
-R, -- recursive display subdirectory
-L, -- logical traversal (following symbolic link)
-P, -- physical traversal (do not follow the symbolic link)
-T, -- tabular uses the tab-separated output format
-N, -- numeric: displays the user/group ID of a number.
-P, -- absolute-names does not remove the '/' symbol before the path.
-V, -- version: displays the version and exits.
-H, -- help: displays the help information.

Get the File ACL Access Control List:

Getfacl test.txt
# File: test.txt
# Owner: root
# Group: family
User: rw-
Group: rw-
Mask: rw-
Other ::---
The first three lines start with # and define the file name, file owner and file owner group. This information does not have much effect. You can use -- omit-header to omit it.
User: rw-Defines ACL_USER_OBJ, indicating that the file owner has the read and write permissions.
Group: rw-Defines ACL_GROUP_OBJ, indicating that the group of the file has read and write permissions.
Mask: rw-defines the ACL of ACL_MASK as read and write.
Other: --- defines that ACL_OTHER has no permission to operate on this file
An ACL consists of a series of access control permissions, including:
ACL_USER_OBJ: equivalent to the file_owner permission in Linux
ACL_USER: defines the permissions that additional users can have for this file.
ACL_GROUP_OBJ: equivalent to the group permission in Linux
ACL_GROUP: defines the permissions that an additional group can have for this file.
ACL_MASK: defines the maximum permissions of ACL_USER, ACL_GROUP_OBJ, and ACL_GROUP.
ACL_OTHER: equivalent to other permission in Linux

Setfacl

Use setfacl to set the File Access Control List
Usage: setfacl [-bkndRLP] {-m |-M |-x |-X...} file...
-M, -- modify = acl: Change the File Access Control List
-M, -- modify-file = file: Changes to the access control list entries read from the file
-X, -- remove = acl: removes entries Based on the access control list in the file.
-X, -- remove-file = file: Read and delete access control list entries from the file
-B, -- remove-all delete all extended access control list entries
-K, -- remove-default remove the default access control list
-- Set = acl setting to replace the current File Access Control List
-- Set-file = file Read Access Control List entry settings from the file
-- Mask recalculates the valid Permission mask
-N, -- no-mask does not recalculate the valid Permission mask
-D, -- default applies to the default access control list
-R, -- recursive operation subdirectory
-L, -- logical follows the symbolic link according to the system logic
-P, -- physical follows the natural logic and does not follow the Symbolic Link
-- Restore = file: restores the access control list, which is opposite to "getfacl-R ".
-- Test Mode: the access control list attribute is not modified.
-V, -- version: displays the version and exits.
-H, -- help: displays the help information.
-: If the file name is-, setfacl reads the file name from the standard input.
Options-m and-x are followed by acl rules. Multiple acl rules are separated by commas. Options-M and-X are used to read acl rules from files or standard input.
Options -- set and -- set-file are used to set acl rules for files or directories. The previous settings will be overwritten.
Options-m (-- modify) and-M (-- modify-file) modify the acl rules for files or directories.
Options-x (-- remove) and-X (-- remove-file) delete acl rules.

Set the ACL Access Control List:

Setfacl-m u: zyq: rwx test. sh
The user corresponds to ACL_USER_OBJ and ACL_USER, which are abbreviated as u.
Group corresponds to ACL_GROUP_OBJ and ACL_GROUP, abbreviated as g
Corresponding to ACL_MASK
The corresponding ACL_OTHER of other is abbreviated as o
The second field is called qualifier. That is, the zyq and jackuser groups in the preceding example. It defines specific users and user groups.
Permission for files. Here we can also find that only user and group have qualifier, and others are empty.
The third field is the familiar permission. It is defined like the Linux permission, so we will not talk about it here.
When ACL access control is set, A + number is added at the end of the file permission.

Chacl

Chacl is a command used to change the access control list of files or directories.
The format of the chacl command is: chacl acl filename1 filename2
Chacl is a command used to change the File Access Control List.
-B indicates that there are two ACLs to be modified. The first acl is the File acl, and the last one is the default acl of the directory.
-D: Set the default acl of the directory. This option is useful. If the default acl of a directory is specified, the files or directories created under the directory inherit the acl of the directory.
-R: only deletes the object acl.
-D only deletes the default acl of the Directory, which is the reverse operation of-d.
-B: Delete the default acl for files and directories. Yes-B's reverse operation.
-R recursively modifies the acl permissions of files and directories.
-L acl permission for listing files and directories.

After ACL is used, setfacl-x is used to delete the ACL attributes of all files. The "+" symbol will still appear at the end of the file. If you do not want it to be displayed, you can use chacl-B.
When using cp to copy a file, we can now add the-p option. In this way, the ACL attribute of the file will be copied when the file is copied. A warning will be given for the ACL attribute that cannot be copied.
The mv command will move the ACL attribute of the file by default. If the operation is not allowed, a warning will be given.

MASK and valid tive

ACL_MASK is another key to ACL control. ACL_MASK specifies the maximum permissions of ACL_USER, ACL_GROUP_OBJ, and ACL_GROUP. when we set the ACL_USER or ACL_GROUP of a file, ACL_MASK will also be defined. Once the file is configured with an ACL, the user group permission of the file will be replaced with the ACL_Mask value.

Default ACL

The Default ACL is used to set the Default ACL for a directory. All files created in this directory inherit the ACL of this directory. The ACL defines the default option, when a user has the default read, write, excute/search permission. however, files cannot be deleted or created. If you need to execute permissions, you need to change the ACL_USER of the directory to the user before deleting and creating files in that directory.